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ON TAKING SQUARE ROOTS WITHOUT QUADRATIC 
NONRESIDUES OVER FINITE FIELDS 

TSZ-WO SZE 

Abstract. We present a novel idea to compute square roots over finite fields, 
without being given any quadratic nonresidue, and without assuming any un- 
proven hypothesis. The algorithm is deterministic and the proof is elementary. 
In some cases, the square root algorithm runs in 0(log 2 q) bit operations over 
finite fields with q elements. As an application, we construct a deterministic 
primality proving algorithm, which runs in d(log 3 N) for some integers N. 



1. Introduction 

Let F g be a finite field with q elements and /3 € ¥ q be a square. The square 
root problem over ¥ q is to find a G¥ q such that a 2 = (3, given /3 and ¥ q as inputs. 
Suppose q = 1 (mod 8) in this paper. Otherwise, the square root problem is easy; 
see PU, Q3]- 

The problem of taking square roots over a finite field and the problem of con- 
structing a quadratic nonresidue over the same finite field are polynomial time 
equivalent. If one can take square roots, one can compute (— l) 1 / 2 , (-1) 1 / 4 , (— l) 1 ^ 8 , 
• • • , and eventually obtain a quadratic nonresidue because the number of steps is 
0(\ogq). Conversely, given a quadratic nonresidue as an additional input, there are 
deterministic polynomial time algorithms |28j . |24] and pQ for computing square 
roots. There is no known deterministic polynomial time square root algorithm over 
finite fields in general, therefore, there is no known deterministic polynomial time 
algorithm for constructing a quadratic nonresidue. We discuss some probabilistic 
approaches below for these two problems. 

There is a simple, efficient probabilistic algorithm for finding a quadratic non- 
residue because, in ¥ q , the number of quadratic nonresidues is equal to the number 
of quadratic residues, and it is easy to determine whether an element is a quadratic 
nonresidue. One could randomly pick an element a € ¥ q , and then test whether 
a is a quadratic nonresidue by computing a^ 9-1 '/ 2 . The element a is a quadratic 
nonresidue if and only if a*- 9 " 1 -*/ 2 = — 1. Repeat this process until a quadratic 
nonresidue is found. 

There are several efficient probabilistic algorithms for taking square roots in 
finite fields. When quadratic nonresidues are not given, Tonelli-Shanks [2B1 123], 
Adleman-Manders-Miller pQ and Cipolla-Lehmer [TUJ [TB] are considered as proba- 
bilistic algorithms since they require a quadratic nonresidue as an additional input. 
Berlekamp- Rabin [7, 20 takes square roots by polynomial factoring over finite fields. 
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The idea of Peralta [21] is similar to Berlekamp- Rabin. For other results, see [4], 
i, i, 0, i, [ig, [H, [25] and [29]. 

We restrict our discussion to prime fields F p for odd prime p in the following 
paragraphs. Although there is no known deterministic polynomial time algorithm 
for taking square roots, or equivalently, constructing a quadratic nonresidue, over 
prime fields in general, deterministic polynomial time algorithms exist in some 
special cases. 

Schoof [23j showed a deterministic algorithm for computing square roots of /3 
over F p with running time OiQPl 1 / 2 ^ logp) 9 ) bit operation^ for all e > 0. Thus, 
his algorithm is polynomial time for any fixed /3 but it is exponential time generally. 

For primes p with p ^ 1 (mod 240), a quadratic nonresidue over F p can be 
constructed in deterministic polynomial time as shown below. Denote a primitive 
rth of unity by ( r . If p ^ 1 (mod 16), at least one of 

C 2 = -i, C4 = ±\/^T, Cs =±-^(i±V=I) 

is a quadratic nonresidue over ¥ p . Suppose p = 1 (mod 4) for the following. If 
p = 2 (mod 3), then the Legendre symbol (|) = (|) = (|) = — 1 by the law of 
quadratic reciprocity and so 3 is a quadratic nonresidue over F p . Similarly, 5 is a 
quadratic nonresidue over ¥ p for p = 2, 3 (mod 5). Suppose p = 4 (mod 5). Let 

a + Va 2 - 4 -l + \/5 
Cs = 2 ' whereas e F p . 

Then, a 2 — 4 is a quadratic nonresidue over F p since £5 ^ F p . Note that the values 
of v 7 — 1, \/2 and v5 that appeared previously can be computed by Schoof 's square 
root algorithm in polynomial time. In conclusion, the problem of constructing a 
quadratic nonresidue over F p is non-trivial only if p = 1 (mod 16), p = 1 (mod 3) 
and p = 1 (mod 5). 

We end our discussion on prime fields by considering the Extended Riemann 
Hypothesis (ERH). By assuming ERH, Ankeny [3] showed that the leaslQ quadratic 
nonresidue over F p is less than clog 2 p for some constant c. As a consequence, the 
probabilistic algorithm for finding a quadratic nonresidue mentioned previously 
can be improved to a deterministic polynomial time algorithm. It can be proved 
that the least quadratic nonresidue must be a prime. One could evaluate the 
Legendre symbol (p = r^ p_1 ^ 2 (mod p) with primes r = 2,3,5,7,..., until the 
least quadratic nonresidue is found. 

In this paper, the main results and the main ideas are presented in Section [2] 
and Section [3] respectively. In Section [4] we construct a group and describe the 
arithmetic of the group. In Section[5] we show a deterministic square root algorithm 
over finite fields. As an application, a deterministic primality proving algorithm is 
constructed in Section [51 In the appendix (by L. Washington), we show how to 
construct roots of unity needed for Theorem [ 



2. Main Results 

We present a novel idea to compute square roots over finite fields, without being 
riven any quadratic nonresidue, and without assuming any unproven hypothesis. 



1 denotes the absolute value of /3, where /3 is considered as an integer in (— , 

2 The elements in ¥ p are considered as non-negative integers. 
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The square root algorithm, Algorithm 15 A\ is deterministic and the proof is elemen- 
tary. In some cases, the algorithm runs in 0(log 2 q) bit operations over finite fields 
W q . As an application, we construct a deterministic primality proving algorithm, 
which runs in (5(log 3 N) for some integers N. We prove the following theorems. 

Theorem 2.1. Let ¥ q be a finite field with characteristic p such that 

q = 2 e 3 f t+l and p=l (mod 12). 

Suppose t = 0(poly(log q)). There is a deterministic polynomial time square root 
algorithm over ¥ q . 

Theorem 2.2. Let ¥ q be a finite field with characteristic p such that 

q = 2 e p\ 1 ■■■p^t + l, p = 13, 25 (mod 36) and p=l (mod pj), 

where pj = 2 • 3 kj + 1 are n distinct primes for kj > 0. Suppose t + ^Pj — 
O (poly (log q)). There is a deterministic polynomial time square root algorithm 
over F q . 

Theorem 2.3. Let ¥ q be a finite field with characteristic p such that 

q = r e t + 1 for some prime r. 

Suppose r + t = 0(poly(logg)). There is a deterministic polynomial time square 
root algorithm over ¥ q . 

3. Main Ideas 

Suppose (3 £ F* is a square, where ¥ q is a finite field with q elements. Then, 

a 2 = j3 for some a £ F* . 

We present an idea to compute a, given j3 and ¥ q . The problem of taking a square 
root of j3 with arbitrary size is reduced to the problem of constructing a primitive 
rth root of unity £ r £ ¥ q for some r\q — 1. The main ingredient of the reduction is 
a group isomorphism. More details are discussed below. 
Let G a be a group with the following properties: 

(i) the group operation of G a can be computed efficiently with (3 but without 
the knowledge of a, 

(ii) G a is isomorphic to the multiplicative group , and 

(iii) the isomorphism ip a : G a — > ¥ q depends on a as a parameter. 

Since the isomorphism ip a depends on a while the value of a is unknown, ip a and its 
inverse are not at first efficiently computable. We try to match certain elements in 
G a with the corresponding elements in F^ . In the cases we considered, a matched 
pair reveals the isomorphism ip a . Consequently, a can be computed. 

We first find an order r element in G a , where r is an odcjf) prime factor of q — 1. 
Write q = r e t + 1 such that (t,r) = 1. Consider an element [g] £ G a . Suppose the 
order of [g] is d such that r\d. Then, [a] = \gf^ is an order r element. Note that 
there are (r e — l)t possible [g] £ G a leading to an order r element [a] but only t 
elements are not. 



The special case r = 2 can be handled differently. See Algorithm l5.4l 
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The element [a] must be matched up with an order r element in F* through the 
isomorphism ip a . Since F* is cyclic, we have 

i>a{[a\) = Cr f° r some < k < r, 

where Cr € F g is a primitive rth of unity. Once the index k is obtained, the 
parameter a of t\j a can be computed. 

The remaining problem is to find a primitive rth root of unity, £ r . In some cases, 
£ r can be constructed by taking square roots of some fixed size elements over ¥ q . 
These square roots can be computed by Schoof's square root algorithm. In some 
other cases, Cr can be constructed directly. 

4. A Group Isomorphic to F* 
Let F q be a finite field with q odd. Define the set 

def 



for some a £ 



(4.1) G' a = {[a] : ae¥ q ,a^±a} 

For distinguishing the elements in G' a and the elements in F,j , we denote the former 
by [ • ]. The number of elements in G' a is q — 2. By adding the element [oo] to G' a , 
we obtain 

(4.2) G Q d = f G^U{[oo]}. 

Define an operation * on G a as follows: V [a] € G a and V [ai] , [02] 6 G' a with 
a-i + a-2 ^ 0, 



(4-3) 
(4.4) 

(4.5) 



[a\ * [00J = 
[01] * [-ai] = 

M * [a 2 ] = 



[oo\ * [a\ = 
[00] , 
a\Q2 + a 2 



a\ + a.2 

Interestingly, (G Q , *) is a well-defined group, which is isomorphic to the multiplica- 
tive group F^ . The group G a provides a new computational point of view of F^ . 
We will use G a to construct a deterministic square root algorithm later. 

Theorem 4.1. (G Q ,*) is an Abelian group with identity [00]. The group G a is 
isomorphic to the multiplicative group F^ . 

Proof. Define a bijective mapping 



(4.6) 

with inverse 
(4.7) 



^■G a 



¥1 



G a , 



1, 



1 



a — a 



a(b+l) 
6-1 



A straightforward calculation shows that tp is a homomorphism. The Theorem 
follows. □ 

Note that G a is cyclic because F^ is. Since q is odd, there is a unique order 2 
element in G a . For any a € F^ , we have 



V([0]) = 



0- 



0-Q 



= -1. 



Thus, [0] is the order 2 element in G a , independent of the choice of a. 
For more discussions on G a , see [2"6"1 . 
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4.1. Singular Curves with a Double Point. We can reinterpret the group law 
in terms of "singular elliptic curves." Consider the curve 

E:y 2 = x 2 (x + a 2 ). 

Let E(¥ q ) be the points on the curve with coordinates in ¥ q . The only singular 
point on E(¥ q ) is (0,0), which is a double point. Let E ns (¥ g ) be the non-singular 
points on E(¥ q ). Then, the mapping 

r : £„ S (F 9 ) -> F* , oo h- > 1, (x, y) .— > + - 

is an isomorphism from E ns {¥ q ) to ¥ q . The inverse is 

i v / x ( 4a 2 A 4a 3 (A + l)\ 

r-':¥^E ns (¥ qh 1 ^ oo, A ^ ^ , ( /_ i)3 j • 

For proofs and details, see [31] p61 - p63. Together with the isomorphism tp given 
in equation (|4.6|) . we have 

G a ~ F* ~ £„ s (F g ). 

The isomorphism from i?„ s (F g ) to G a is surprisingly simple: 

i\)~ x o r : E ns (F 9 ) — > G a , oo i — > [oo] , (x, y) i — !> [y/x] . 

Although it is possible to formulate our discussion in terms of the language of 
elliptic curves, we will keep using G a in this paper. 

5. Taking Square Roots 

Suppose /3 e F* is a square. We have 

a 2 = /? for some a g F* . 

Consider the group G a defined in equation (I4.2[) . Let (d £ F 9 be a primitive dth 
root of unity for d\q — 1. We have the following proposition. 

Proposition 5.1. Let [a] s Gq, swc/i that [a] 2 =^ [oo]. Suppose [a] d = [oo] /or some 
d > 0. Then, 

a(( k — 1) d 
a = ±— ^ /or some < fc < -. 



Proof. Since V' defined in equation (|4.6p is an isomorphism, we have 

^([a]) d = ^Qa] d ) = V>([oc]) = 1 

over ¥ q . Then 

^([ a D = Crf f° r some < j < d. 

Since [a] 2 7^ [oo] by assumption, we have j ^ and j =^ |. By applying -0 1 on 
both sides, we obtain 

M = ^ 1 (d)= [«(C2 + 1)/(C2-1) 

Therefore, 

a = a(C^ - 1)/(C + !)• 
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If j < |, the proposition follows by setting k — j. If j > ^, let k = d — j < 4. 
Then, 

- 1) = «(C 1) = a(l-Q = _ a 

The Proposition follows. □ 

Proposition 15.11 suggests a method to compute a. The ingredients are (1) an 
element [a] G G a such that [a] d = [oo], (2) a primitive <ith root of unity 6 F g , 
and (3) the index fc. It also requires that the power [a] k has to be efficiently 
computable. Recall that G' a , which is defined in equation (|4.1|) . is the set of all 
elements in G a except the identity. 

Lemma 5.2. Given a square ft G F* ; the group operation * over G a can be per- 
formed in O(logq) bit operations without the knowledge of a. 

Proof. Clearly, the group operation involving the identity element is trivial. By 
equations (|4.4[) and (|4.5|) . for any \g{\ , [g 2 ] G G' a , 



(5-1) [<?!] * [ff 2 ] 



oo] , if 0i + 32 = 0, 

919 1 +/3 1 , otherwise. 

Note that equation (|5.1|) does not involve a. Therefore, the group operation * over 
G a can be computed by a few field operations over ¥ q in the worst case. The 
Lemma follows from the fact that field operations over ¥ q can be performed in 
O(logg) bit operations; see [T3], [22], [TS], [3D]. □ 

Lemma 5.3. Given a square j3 G FJ, the power [g] k for any [g] G G' a can be 
computed in O(logfclogg) bit operations without the knowledge of a. 

Proof. The power [g] k can be evaluated in 0(logk) group operations using the 
successive squaring method. The Lemma follows from Lemma 15.21 □ 

5.1. The Algorithm. In this section, we present a deterministic square root al- 
gorithm over F g . Write 

(5.2) q = 2 e p?...p e n n + l, 

where pi, ■ ■ ■ ,p n are n distinct odd primes and t, e, e±, • • • , e„ are positive integers 
such that (2pi ■ ■ ■ p n ,t) = 1. Suppose e > 1. Otherwise, the square root problem is 
easy. We have following algorithm. 

Algorithm 5.4 (Taking Square Roots). The inputs are j3 and ¥ q , where (3 G F c ^ 
is a square. This algorithm returns ±-\//3. 

I. Consider 2t — 1 distinct elements 31,32, •••,52t-i G F*. 

1.1 If there exists t' such that g\, = (3, then return ±3 t /. 

1.2 Otherwise, set 3 = gt>> for some t" such that [3c] 2 * ^ [00]. 
II. If [g} {q ^ 1)/2S l ^ [00], do the following: 

II. 1 Find the largest k such that [g] yq " = [00]. 

11. 2 Compute [a] = [3] , an order 4 element in G a . 

11. 3 Return ±ay— T. 

III. Find m such that [j] 1 ' -1 '**" ^ [00]. 
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IV. Set r = Pm and then do the following: 
IV. 1 Find the largest k such that [g] 



= 00 . 



IV. 2 Compute [a] = [g]^ q , an order r element in G a . 

IV. 3 Compute ( = ( r e ¥ q , a primitive rth root of unity. 

IV.4 Find j such that (a(C* - l)/(C j + l)) 2 = P for 1 < 3 < r ^ i - 
IV.5 Return ±a(C J - 1)/(C J + !)• 



Theorem 5.5. Algorithm \5.4\ returns the square roots of j3. 

Proof. Clearly, if t' exists in Step 1.1, the algorithm returns the square roots of 
/?. Otherwise, [<?i] , [172] , • • • , [<?2t-i] are elements in G a . There are It + 1 distinct 
elements 

[00] , [0] , [51] , [g 2 ] , ■ • ■ ,[S2t-i] G G a . 
Since G a is cyclic, the 2i-torsion subgroup 



ff={WeG„ : [of* = [00]} 



has exactly 2t elements. We have [00] , [0] € H. Therefore, there exists t" such that 
[gt") €" H . In Step 1.2, we obtain g = g t " such that [g] £ H . Denote the order of 
[g] by d for the rest of the proof. 

In Step II, if [g]^ 1 ^ 2 ^ [00], there exists < k < e — 1 such that 
[g] (q - 1)/2k = [00] and [g]^' 2 ^ # [00] . 
In Step II. 2, the order of [a] — [g] y )! G G a is 4. The algorithm returns 



C4 + 1 

which are the square roots of /3 by Proposition [5Tj If [g] — [oo], we have 

(5.3) d\2tpf 

In Step III, such m exists. Otherwise, suppose [gf'' 1 x " Pm = [oo] for all m. 
Then 

d\(q — 1)/p5tT f° r an m - 

Hence, 

d|2 e l 

Together with (|5.3[) . we have 

d|2t, 

which contradicts [g] ^ H . 

Step IV is similar to Step II. Since [g]^ 9 ~ 1 ^ r 7^ [00], there exists < k < e m 
such that 

[g] [q - 1)/rk = [00] and [s] (, - 1)/r * + V [00] . 

The order of [a] = [g] ( - q ~ 1)/r " +1 E G a is r in Step IV.2. By Proposition O 

a(C J - 1) r - 1 

a = ± ; for some 1 < 7 < . 

C J + 1 ~ ~ 2 

The Theorem follows. □ 
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Proposition 5.6. Algorithm \5.4\ runs in 

0((t\ogt + log q) log q + -Zmax) 

bit operations, where p max = max(pi, ...,p n ) and Z max = max(Z±, Z pi , Z Pn ), 
where Z^ is the time required to construct a dth root of unity over ¥ q . 

Proof. Writing q in the form of equation (|5.2[) by trial divisions requires 0(p max log q). 

The running time of Step I is 0(tlogtlogq) since multiplications over ¥ q and 
powering over G a can be performed in 0(\ogq) and O(logilogg), respectively. 

In Step II, computing [g]^ q , finding the required k in Step II. 1 and com- 

puting [a] in Step II. 2 take 0(log 2 q). It also requires 0(Z^) to compute £4 = \f—\. 
The running time of Step II is 0(log 2 q + Z4). 

Clearly, the running time of Step III is 0(n log 2 q). 

Step IV is similar to Step II except that there are (r — l)/2 possible j in Step 
IV. 4, which takes 0(r log q). The running time of Step IV is 0((r+log q) log q+Z r ). 
The Proposition follows. □ 

Corollary 5.7. Algorithm \5.4\ runs in polynomial time when 
t + p 

max + Zmax = O (poly (log q)). 
Proof. This immediately follows from Proposition 15. Gl □ 
We consider some special cases in the rest of the section. 

5.2. Case q = 2 e 3^t + 1. Consider the finite fields ¥ q with characteristic p such 
that q = 2 e 3H + 1 and p = 1 (mod 12). Note that e > 2 and / > 1 because p = 1 
(mod 12). We prove Theorem 12.11 below. 

Proof of Theorem \2.1\ The elements —1 and —3 are squares in the prime field ¥ p . 
We can compute C3 = ~ 1± 9 %/ ~^ and C4 = \f— T in 0(log 9 p) by Schoof's square root 
algorithm. Then, the running time of Algorithm 15.41 is 

6((t log t + log q) log q + log 9 p) 

bit operations by Proposition 15.61 Since t — O (poly (log q)) by assumption, the 
Theorem follows. □ 

5.3. Constructing Primitive (2 • 3 k + l)th Roots of Unity. Suppose p be a 
prime with p = 1 (mod 4) and p = 4, 7 (mod 9). We show in Lemma 15.81 below 
that cube roots over ¥ p can be computed efficiently. As a consequence, a primitive 
rth root of unity £ r , for prime r = 2 • 3 fe + 1 and some fc > 1, can be computed in 
polynomial time by the method described in the Appendix. We will prove Theorem 
O after Lemma EH 

Lemma 5.8. Let p be a prime with p = 1 (mod 4) and p = 4, 7 (mod 9). Cube 
roots over ¥ p can be computed in polynomial time. 

Proof. We can compute (3 = ~ 1± 2 V ^ g F p by Schoof's square root algorithm. Let 
b G F p be a cubic residue. We have fe^ 1 )/ 3 = 1. Ifp = 4 (mod 9), let a = b {2p+1 ^ 9 . 
Then, 

a 3 = b {2p+1}/3 = 6 1+2 (p- 1 )/ 3 = 6. 
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Therefore, M 2 p +1 )/ 9 , M 2p+1 >/ 9 C 3 and M 2 ^ 1 )/ 9 ^ are cube roots of b. Similarly, if 
p = 7 (mod 9), let a = b ( -P+ 2 ^ 9 . Then, 

a 3 = b (v+2)/3 = b 1+{p ~ 1)/3 = b. 

Therefore, &(p+ 2 )/ 9 , 6(p+ 2 )/ 9 £, and b^+^^Q are cube roots of b. All computations 
can be performed in polynomial time. The lemma follows. □ 

Proof of Theorem \2.2i The square roots \J — 1, y/pi, iJpE, ^/p^ G ¥ p can be com- 
puted using Schoof's square root algorithm. Since p = 13, 25 (mod 36), cube roots 
over F p can be computed in polynomial time by Lemma \b. 81 Then, the primitive 
roots of unity ( Pl , ( P2 , £ P „ G ¥ p can be constructed by the method described in 
the Appendix. Since t + ^2pj — O (poly (log q)) by assumption, Algorithm 15 .41 runs 
in polynomial time by Corollary 15. 71 The Theorem follows. □ 

5.4. Searching for Primitive Roots of Unity. In the previous sections, the 
square root problem with arbitrary size elements is first reduced to the problem of 
constructing primitive roots of unity, which is further reduced to the square root 
problem with some fixed size elements. We show in Algorithm 15.91 below that a 
primitive root of unity can be constructed efficiently without the need of taking 
square roots in some cases. We will prove Theorem 12.31 at the end of the section. 

Algorithm 5.9 (Constructing a Primitive rth Root of Unity). The inputs are r 
and ¥ q for some odd prime r such that q = r e t + 1 and (r, t) = 1. This algorithm 
returns a primitive rth root of unity in F g . 

1. Consider t+ 1 distinct elements gi, ...,g t +i G F*. 
Set g = gj such that g* ^ 1. 

2. Find the largest k such that g^- 1 )^" = 1. 

3. Return g(i- l )/ rh+ \ 

Lemma 5.10. Alaorithm \5.9\ returns a primitive rth root of unity. 

Proof. Since the t-torsion subgroup of F^ only has t elements but there are t + 1 
distinct elements in gi,gi, -" iffi+ii there exists an element gj such that g* ^ 1. 
Let d be the order of g = gj. Then, r divides d and there exists k such that 

g^/r h = 1 and g ^)^ +1 ± 1, 

which means that g(i~ 1 ')/ r + is a primitive rth root of unity. □ 

Lemma 5.11. Alaorithm \5.9\ runs in 0((t logi + logg) logg) bit operations. 

Proof. The running time for Step 1 is O(ilogtlogq) and the running time for Step 
2 and Step 3 is 0(log 2 q). The Lemma follows. □ 

Similarly, we may construct a primitive 4th root of unity by Algorithm 15.121 
below. The correctness proof for Algorithm 15.121 is similar to the proof given for 
Lemma 15.101 The running time is also 0((ilogi + logg) logg). 

Algorithm 5.12 (Constructing a Primitive 4th Root of Unity). The input is ¥ q 
such that q = 2 e t+ 1, where e > 1 and t is odd. This algorithm returns a primitive 
4th root of unity in ¥ q . 

1. Consider 2t + 1 distinct elements g±, ...,g2t+i G F^ . 
Set g — gj such that gf ^ 1. 
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2. Find the largest k such that g^" 1 )/ 2 " = 1. 

3. Return gb-W** . 

Proof of Theorem \2.3[ If r = 2, construct £4 by Algorithm 15.121 Otherwise, con- 
struct ( r by Algorithm 15.91 The running time is 0((t logt + logg) logq) for either 
case. Then, the running time of Algorithm 15.41 is 

0((t log t + r + log q) log q) 

bit operations by Proposition 15. 61 Since r + t = O (poly (log q)) by assumption, the 
Theorem follows. □ 

6. Deterministic Primality Proving 

We briefly describe a deterministic primality proving algorithm as an application 
of the square root algorithm. For more details, see [27j . 

Suppose N — 2 e t + 1 > 3 for some odd t with 2 e > t. Try to compute y/—T 
by Algorithm EH and then try to compute (-1) 1/4 , (-1) 1/8 , (-I) 1 / 2 "" 1 by 
Algorithm 15.41 If (— l) 1 / 2 " is obtained, then N is a prime by Proth's Theorem 
(Theorem 16.11 below) . Otherwise, since the square root algorithm is deterministic, 
the computation process must fail in some point and then we conclude that N is 
composite. Such a primality proving algorithm is deterministic and runs in 

0((tlogt + log TV) log 2 N) 

bit operations. 

The algorithm runs in 0(log 3 N) when t is O(logiV). For this kind of numbers, 
the algorithm is faster than other applicable deterministic algorithms. The running 
time of the AKS algorithm [2] and Lenstra-Pomerance's modified AKS algorithm 
[2] are 0(log 7 ' 5 N) and 0(log 6 TV), respectively. Assuming ERH, Miller's algorithm 
[17] is deterministic with running time O (log 4 AO. 

Theorem 6.1. (Proth's Theorem) Let N = 2 e t + 1 for some odd t with 2 e > t. 
U 

(W-l)/2 = _j ( modiV ) 

for some a, then N is a prime. 

See [32] for the details of Proth's Theorem. 
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Appendix: Computing roots of unity (by L. Washington) 

Let q = 2 • 3" + 1 be prime. We show how to construct a gth root of unity mod 
p (where p is some prime) in polynomial time in logp for a fixed q. 
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There are several such primes. The values of n < 6000 are 1, 2, 4, 5, 6, 9, 16, 
17, 30, 54, 57, 60, 65, 132, 180, 320, 696, 782, 822, 897, 1252, 1454, 4217, 5480 

corresponding to the primes q = 7, 19, 163, It is reasonable to conjecture that 

there are infinitely many such q (this is similar to the conjecture that there are 
infinitely many Mersenne primes). 

Let C g be a primitive gth root of unity and let p be a primitive cube root of 
unity. Let G be the Galois group of Q(( q , p)/Q(p, >/—<?)■ Then G is cyclic of order 
(q — l)/2 = 3™. Let a be a generator and let 

grc — k 

(T fe = a 

Then Uk generates a subgroup of G of order 3 fc . The fixed field Kk of au is of degree 
3"- fc over Q(p, 

We want to obtain an expression for a qih root of unity that involves only \J—q 
and taking cube roots. The basic idea is the following. Suppose we want to compute 
r e K m . Let n = r, r 2 = a m +i(r), r 3 = cr^ +1 (r) be the Galois conjugates of r 
over -ftT m+ i. Let 

f = n+r 2 +r 3 , g = r x + pr 2 + p 2 r 3 , h = n + p 2 r 2 + pr 3 . 

Then a m+ i(g) = p 2 g, so g 3 is fixed by a m+ i and therefore lies in K m+ \. Similarly, 
f 3 , h 3 e if m+ i. If we can determine the values of / 3 , g 3 , h 3 , and if we can compute 
their cube roots, then we know /, g, h up to cube roots of unity. So, let's assume that 
we know/, g, h. Thenn = {f+g+h)/3, r 2 = (f+p 2 g+ph)/3, r 3 = (f+pg+p 2 h)/3, 
so we recover r\ , r 2 , r 3 . 

Start with r = ( q . We will actually use the procedure for r and its Galois 
conjugates <r 3 (r), cr 6 (r), cr 9 (r), .... The above reduces the computation of Q q and its 
Galois conjugates to finding the cube roots of certain elements of K\. In fact, these 
elements of K\ are / 3 , g 3 , h 3 and their Galois conjugates over K n = Q(v / — q, p)- We 
then reduce the computation of these elements to finding the cube roots of certain 
elements of K 2 and their conjugates. Continuing in this manner, we eventually 
reduce the problem to computing cube roots of elements of K n . Note that each 
time that we formed a sum g, we also formed a sum h. These are conjugate 
via the automorphism that sends p to p 2 and fixes £ g . Therefore, the elements 
of K n that we obtain are in pairs Zi,z 2 that are conjugate over Q(-y/— Both 
z\ + z 2 and {z\ — z 2 )/\/^3 are fixed by Gal(K n /Q(y/^q)), so they lie in Q(v / — q)- 
The real and imaginary parts are rational numbers, and it is easy to bound the 
denominators. Therefore, we can recognize these as rational numbers by floating 
point computations. Working back through the preceding and taking the necessary 
cube roots, we obtain an expression for Q q . 

The expression obtained for ( q can be reduced mod p. There will be some 
ambiguity caused by the cube roots being determined only up to powers of p, so 
we obtain a finite list of possibilities of ( q . Taking their gth powers identifies a 
primitive qth root of unity. 

The above is best understood via an example. Let q = 19. The Galois group G 
is generated by a, which maps £19 to (f 9 . Also, a Y = v 3 maps ( w to £j 9 . Form 

fo = Cl9 + Cl9 + Cl9- 

The Galois conjugates are fo, cr(/o), c 2 (./o)- 
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It is classical, and easily verified numerically, that 



Define 



/o + ct(/ ) + a 2 (f ) = . 



= (/o + P^(/o)+A 2 (/ )) 3 
xi = (/o + A(/o)+^ 2 (/o)) 3 



Then a fixes xo and x\, so they lie in Q(\/— 19, p). Moreover, the map that switches 
p and p 2 and fixes £19 switches xo and xi. Therefore, x + x\ and (x — Xi)/\/^3 
are in Q(v / — 19). Numerical computation shows that 

x + xi - ^(19 - 17V^T9) 
x$—x\ 1 



3 2 



(-57-97^19). 



(Note that these numbers are algebraic integers, so rounding the results of a floating 
point computation yields exact answers.) Therefore, 



1 



x = -(19 - 17V^19 - 57V^3 + 9V57) 
xx = i(19 - 17\/^T9 + 57V T 3-9V57), 



where ^57 = \/ = 3V = 19. 

Therefore, since 1 + p + p 2 = 0, we obtain 



A _i ( zi±jf! + 4/3 + ,1/3,, 

with an appropriate choice of cube roots of x and xi. 
Define 

A = (Cl9+P^l(Cl9)+p 2 ^(Cl9)) 3 
/2 - (Cl9+pV 1 (Cl 9 )+p ( T 2 (Cl9)) 3 . 

Then /1 and / 2 arc fixed by <j\, hence lie in K\. Let 

2/i = /i+^(/i)+a 2 (/i) 

2/2 = / 2 +<7(/ 2 )+<7 2 (/ 2 ). 



Then y\ and 2/2 he in Q(\/— 19, p). Numerical computation yields 

2/1+2/2 = 38-V^19 
2/1 ~ 2/2 „ ^-r^ 

hence 

2/i = ^(38- V^19-3\/57) 



= J (38- >/=i9 + 3>/57). 



2/2 2 
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(/i + M/o + pVCfx)) 3 

(/l + A(/l)+P<T 2 (/l)) 3 
(/2 + W/ 2 )+pV(/ 2 )) 3 
(/2 + A(/2)+P<7 2 (/ 2 )) 3 . 

= ^(-1007 + 4373^/^19) 

= ^ (-10659- 99^/^19) 

= 1292 - 1121-/+L9 
= 2850+ 171 V^T9. 

Solving yields 

x 2 = i(-1007 + 4373\/^T9- 10659^^3 + 99^) 

x 3 = ^(1292 - 112lV^19 + 2850\/^3- 171^57) 

x 4 = i(1292 - 112lV^19- 2850\/^3 + 171\/57) 

x 5 = ^(-1007 + 4373^/^19 + 10659V^3- 99V57). 
Again, since 1 + p + p 2 =0, we have 

h = ^(4 /3 + x l /3 + Vi) 

with an appropriate choice of cube roots. The search for the appropriate cube roots 
can be shortened, for example, by using the fact that fixed by a and 

is unchanged under the automorphism that maps p to p 2 and which fixes Ci9- It 
therefore lies in Q(\/— 19). Numerical computations show that x^ 3 x^ 3 = —114 — 
4^—19. Therefore, the choice of cube root for one of x X 2 3 and x^ 3 determines the 
other. 

Putting all of the above together, we obtain 

Ci9 = i(/o + A 1/3 + / 2 1/3 ) 

with an appropriate choice of cube roots. 

Schoof's square root algorithm allows us to calculate v^~3 and \J— 19 in time 
polynomial in log p. If taking cube roots mod p is easy (for example, if p = 4, 7 
(mod 9)), then the above quickly calculates several possibilities for £19, correspond- 
ing to the choices of cube roots. Each possibility can be tested to determine whether 
or not it is a primitive 19th root of unity. This will yield the desired C19 m time 
polynomial in log p. 
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Let 



Then 



X 2 = 

X3 = 

X4 = 

X 5 = 

x 2 + x 5 
x 2 - x 5 

x 3 + x 4 
x 3 - x 4 

V=3 



